Digital Conflict blog

By Kevin Coleman

Recently, information about a new cyberattack that targets schematics and blueprints became public. Some cybersecurity professionals believe that this attack was a reconnaissance mission, and the documents were badly needed intelligence to plan cyberattacks against control systems. The highly focused attack appears to have targeted AutoCAD files. AutoCAD is a popular computer-aided design software program. It supports drafting and also 2D- and 3D-design and modeling. This CAD software is commonly used within the aerospace and defense industries, and also in the energy sectors including the nuclear engineering thus increasing the concern over this attack.

Investigations into this new piece of malicious software have uncovered that the thousands of schematics and blueprints collected by the espionage malware were sent via e-mail to an inbox traced back to China. For some reason yet unknown the malicious software has a high degree of concentration in Latin America. According to the Latin American Economic Outlook 2012 report the Latin American region is expected to grow 4.1 percent economically this year.

This high growth could be one driver behind the concentration. Another consideration is the fact that industrial activities represent an important source of economic growth in that region. Current details about this attack would seemt o indicate that the broad nature of the document collection does not lend itself to the identification of a specific programmable logic controller (PLC), manufacturer of supervisory control and data acquisition (SCADA) equipment or distributed control (DC) system. We are very early in the investigation of this incident and information is quite limited. It will be interesting to see if there are cyberattacks against the systems and equipment associated with the stolen CAD files as the investigation evolves.

The most noted attack of this type is Stuxnet. Stuxnet was a sophisticated computer worm and Trojan that attacked a widely used industrial control system and it appears to have been aimed directly at the Iranian nuclear enrichment program. Cyber investigator Jeff Karr pointed out that it was the Stuxnet worm that attacks control systems that was responsible for disruption of the Indian Space Research Organization satellite INSAT 4B. When looking at who might have been responsible for this and other acts of cyber aggression, fingers are often pointed toward China and Pakistan. It is important to note that India learned from this and other cyberattacks and took defensive measures. These measure were responsible for stopping a 2010 SCADA system attack that targeted India and could have disrupted or damaged 70 rigs of the Oil and Natural Gas Corp. that operate within India.

The risk of this type of cyberattack on control systems has made it to the most senior levels in business, government, industry, homeland security and the military. Cyberattacks on PLCs, SCADA systems and DCs represent high value targets and worry government officials in many countries. To help mitigate this threat the National Institute of Standards provides guidance on establishing secure industrial control systems. In addition, a May 2012 article in Government Security News titled “The Danger of SCADA Vulnerability Exposure” points out that “government agencies, contractors and SCADA suppliers must continue to invest in defensive security measures to mitigate the risk of cyberattack.”

The vulnerability of controls systems to cyberattacks is now being addressed by industrial control and security industries. Just recently one vendor announced a SCADA firewall product – a giant step in the right direction. However, there is much more that is needed to reduce the risks of control system attacks resulting in service disruptions. The big question: Do we have enough time before a serious cyberattack is successful?

One measure of concern over cybersecurity is the number of new employment positions created in support for this domain. While it is clear employment in this area is growing from time to time, I go to one of the major job boards that specialize in jobs for people with security clearances and search on a specific cyber-related job title to look at the number of positions employers are looking to fill.

I just did that again and found eight and one-quarter pages of positions available. The postings started the end of April and go through June 15. Each page contains 20 job postings so that is more than 180 open spots for just one cyber job title. Forbes just ran an article titled, “New Grad Looking for a Job? Pentagon Contractors Post Openings for Black-Hat Hackers.”

Now consider that the number of colleges and universities that have added cyber-related courses and degrees to their curriculum. There are plenty of online- and classroom-based programs covering a plethora of related subject matter. Add to that the number of continuing education and professional development programs that are being widely offered and you begin to get a picture of the current supply and demand balance in this area.

One thing seems to be all but absent. It is very rare that you come across management- and officer-level programs that are needed to support this new domain of conflict. A few military-related organizations are now offering programs at the officer level, but less are available in the private sector. Education is key to managing this risk, and it must be nearly continuous education given the pace of change we are seeing in the cyber threat environment. That is a critical shortcoming that needs to be addressed and quickly.

Intelligence leaks are inevitable, but the frequency and severity of the recent U.S. intel leaks are far from typical. News of the New York Times article that disclosed the source of the Stuxnet attack on Iran’s nuclear program, coupled with the disclosure of the doctor in Pakistan who collected the Bin Laden family’s DNA for positive identification, and the covert operative that had infiltrated al-Qaeda and warned of the new underwear bombing plot, are quite unusual in terms of their implications.

When intelligence organizations share the information they collect, it is based on trust and a need to know. Some foreign intelligence partners would have to be concerned about the recent U.S. intelligence disclosures. I requested and received some comments about the recent intelligence disclosures, and as usual the sources spoke on the condition of anonymity.

From a cleared resource in the United States: What the hell were they thinking? Isn’t that what is referred to as a Dr. Phil moment?

From an inside source in Britain: Whitehall is aghast and in disbelief.

From a security professional in Israel: I’m not sure yet what to think. Israel usually doesn't "talk" about things like this, but America has to put out the information.

If you were an intelligence officer, would you be concerned about putting at risk one of your intelligence sources as well as all the time and money it takes to put an asset in place after what the world read and heard of late? It would at least cause you to pause and think about it. That slight delay could have disastrous consequences.

Will a big chill come over relations between the United States and its intelligence partners around the world? Time will tell, and the damage this has done will undoubtedly take some time.

Detailed news reports about a joint U.S.-Israel cyber operation named Olympic Games (more commonly called Stuxnet), which launched a cyberattack initiative that damaged Iran’s nuclear enrichment program burst onto the world’s computer screen late last week. A source told me that this was a highly classified operation and they were “shocked and concerned about the release of this information.” It is important to keep in mind this is just the latest leak of sensitive, classified information of late. The “underwear bomb plot” as well as news about the doctor in Pakistan who assisted the United States in identifying and locating Osama bin Laden. All of these have taken place in 2012, and one comment I overheard was that the last time there were this many leaks Noah built himself an ark.

When you combine this public disclosure with Duqu, which was discovered in September 2011 and now Flame, which was discovered in May 2012 cyberattacks, one could not help but become concerned. Clearly fallout from the recent disclosure and the other events is expected. What form that fallout will take is anyone’s guess. Many intelligence analysts believe a retaliatory strike by Iran is all but certain. Will it be a cyberattack or a more traditional kinetic response is what is up for debate.

White House spokesman Josh Earnest on June 1 was asked about Stuxnet, and he reportedly would not discuss whether the United States was responsible for the Stuxnet cyberattack. It is also reported he went on to say: “That information is classified for a reason, and it is kept secret. It is intended not to be publicized because publicizing it would pose a threat to our national security.”

He is wrong about that, it isn’t a secret anymore. He is right about that – it’s too bad that it was inappropriately leaked resulting in it being published worldwide.